Change config settings using a bash script

There is a trend to perform all system administration tasks using scripts. The benefit of this approach is that the scripts can be checked into a source control system, such as github. One great application of this strategy is the script that you use to harden your Linux systems.  This… Continue reading

CISSP vs CEH vs Security+

A friend of mine recently made the following post on his Facebook page.  It resulted in an interesting discussion, so I thought that I would share it and my response. OPINIONS wanted: Ok all of my professional FB friends. I am looking at possibly taking some training and obtaining new… Continue reading

The Contracting Life Cycle

Just as there is a life cycle for software development, there is a life cycle for contracting and this cycle must be managed as well to assure information security for the organization.  While there are a variety of formal models promoted by contract management software vendors, the typical phases include:… Continue reading

Define: PCI Service Provider

A PCI Service Provider is a “Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed… Continue reading

Defense-in-depth, Part 2

Last post, I discussed the concept of defense-in-depth (DiD) where overlapping controls provide increased security, particularly if one of the controls should happen to fail. Now, I will give a specific example—host-based firewalls. Both the Windows and Linux operating systems have firewalling capabilities built into the OS. Frequently, I will… Continue reading

ZeroBin as a XSS Attack Platform

What if you could have hundreds of websites from which to launch an encrypted cross-site-scripting attack? What if the webservers could store the XSS attack code for you but could not decrypt it? What if the encrypted code could be set to expire after a set time or immediately after… Continue reading

ZeroBin XSS Vulnerability Patched in 0.19

Sébastien Sauvague has just informed me that he has released Version 0.19 to address the Cross-Site Scripting vulnerability that I wrote about in my previous blog post. You can find it at https://github.com/sebsauvage/ZeroBin/releases/0.19 Websites that host the ZeroBin software should update to this latest version.  Although the more modern browsers may mitigate… Continue reading

Defense in Depth

Security is hard because it requires attention to detail and getting the “blocking & tackling” right.  There are lots of cool and shiny security products on the market today.  Remember a “product” is not a “solution” until it is tailor-fit to meet the needs of the organization and properly maintained… Continue reading

Security Policy Exceptions

Not long ago, I was reading a debate on a Linkedin.com forum discussing all kinds of edge cases that some participants were arguing needed to be considered in a security policy regarding some particular aspect of security.  In fact, I forget what the issue was, but it was clear that… Continue reading